Category Archives: Security

Google: No compromise, likely massive phishing database

A large text file billed as a list of usernames and passwords for more than 4.9 million Google accounts is likely a collection of credentials from different sources, not from a breach of the company's systems, Google stated on Wednesday.

The file was leaked to the Bitcoin Security board on Tuesday by a user known as "tvskit" who claimed that more than 60 percent of the passwords were good, according to translated content on Russian news site RT. Yet, in its own analysis, Google found that only 2 percent of the credentials would have worked and an even smaller number been used successfully.

"Our automated anti-hijacking systems would have blocked many of those login attempts," the company's spam and abuse team said in the analysis. "We’ve protected the affected accounts and have required those users to reset their passwords."

Read 4 remaining paragraphs | Comments

iPwned: How easy is it to mine Apple services, devices for data?

Jailbreaking an iPhone to steal its secrets in the name of security research, we unleash Elcomsoft iOS Forensics Toolkit.
Sean Gallagher

Apple executives never mentioned the words "iCloud security" during the unveiling of the iPhone 6, iPhone 6+, and Apple Watch yesterday, choosing to focus on the sexier features of the upcoming iOS 8 and its connections to Apple's iCloud service. But digital safety is certainly on everyone's mind after the massive iCloud breach that resulted in many celebrity nude photos leaking across the Internet. While the company has promised fixes to both its mobile operating system and cloud storage service in the coming weeks, the perception of Apple's current security feels iffy at best.

In light of one high profile "hack," is it fair to primarily blame Apple's current setup? Is it really that easy to penetrate these defenses?

In the name of security, we did a little testing using family members as guinea pigs. To demonstrate just how much private information on an iPhone can be currently pulled from iCloud and other sources, we enlisted the help of a pair of software tools from Elcomsoft. These tools are essentially professional-level, forensic software used by law enforcement and other organizations to collect data. But to show that an attacker wouldn’t necessarily need that to gain access to phone data, we also used a pair of simpler “hacks,” attacking a family member’s account (again, with permission) by using only an iPhone and iTunes running on a Windows machine.

Read 30 remaining paragraphs | Comments

Lynis v1.6.0 Released For Download – Linux Security Auditing Tool

Lynis is an open source linux security auditing tool. The primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional! It’s a great tool for [...] The post Lynis...

Read the full post at darknet.org.uk

Microsoft Patch Tuesday – September 2014

This month the vendor is releasing four bulletins covering a total of 42 vulnerabilities. Thirty-six of this month's issues are rated Critical.

This month the vendor is releasing four bulletins covering a total of 42 vulnerabilities. Thirty-six of this month's issues are rated Critical.

Dyre malware branches out from banking, adds corporate espionage

A variant of the infamous banking trojan Zeus has gone beyond targeting financial accounts, instead striving to collect another type of sensitive business data: customer information.

The variant, known as Dyre, is a banking trojan that first came to light in June when security companies warned that the Zeus knockoff found a way to bypass Web encryption, known as secure sockets layer (SSL). At the time, it targeted some of the largest global banks, such as Bank of America, Citibank, Natwest, RBS, and Ulsterbank. A recent version of Dyre, however, has begun targeting Salesforce, a popular cloud service for storing customer information, according to analyses.

Other cloud services could just as easily be targeted, according to security firm Adallom.

Read 6 remaining paragraphs | Comments

Quarian Targeted-Attack Malware Evades Sandbox Detection

Last year, we blogged about the actor known as Quarian, who is involved in targeted attacks. This individual or group has been active since at least 2011 and has targeted government agencies. The attacks use spear phishing campaigns with crafted .pdf and .doc files as bait for unsuspecting users.

Recently, we found a new sample that has been detected by hardly any security vendor. The new sample is a modified version of the common binary with reinforcements to prevent its replication in a sandbox if executed without any parameters.

When the sample is run without command-line parameters, it checks its presence with the following key, and then exits if the key is not present. This AppID check was not present in the version of the malware identified last year.

  • HKCRAppID{A941329B-8B10-4060-BCEE-E323018DFFBB}

If the sample is run with a proper command-line parameter, however, it registers itself as a Type Library and Windows service.

Other enhancements include improved boot survival: Quarian registers itself as a Windows service, instead of as a Run entry in the previous version.

The new binary sample appears to have been compiled on March 20.

Quarian connects to the control server visitlink.dnsrd.com, which resolves to 172.246.8.66.

Its commands remain the same as in the previous variant:

  • 0×1: Get host information–OS version, host name, IP address, username
  • 0×2: Exit control server functions
  • 0×3: Shut down the client
  • 0×4: Run a file, possible backdoor
  • 0×5: Obsolete, no longer used
  • 0X6: Remote shell–used to interactively run commands
  • 0X7: Extended control functions (FindFile, MoveFile, WriteFile, ReadFile, CreateProcess, DeleteFile)
  • 0X10: Write to “cf” file to define sleep time

 

Most sandboxes will fail to detect this variant of Quarian because it shows no behavior unless a command-line argument is passed to it or the AppID entry is present.

Even though the latest Quarian has many changes (create service, ATL, TypeLib), McAfee Advanced Threat Defense can detect it using our newly enhanced static code-analysis engine, a.k.a. family classification.

The family classification engine provides a unique advantage over sandboxes that rely only on behavior and static file properties to detect malware. The similarity factor in family classification indicates the extent of code changes against the original. With many targeted attacks using new and previously unknown evasion techniques, the family classification engine within Advanced Threat Defense provides a unique differentiator.

The post Quarian Targeted-Attack Malware Evades Sandbox Detection appeared first on McAfee.

Copyright © 2014. Powered by WordPress & Romangie Theme.